Google Uncovers iPhone Exploit Kit Used by Russian Spies, Likely Built by U.S. Contractor

A sophisticated iPhone hacking toolkit tracked by Google's Threat Intelligence Group was used by a suspected Russian espionage operation and Chinese cybercriminals before researchers concluded it almost certainly began life inside the U.S. government or one of its defense contractors.

The toolkit, which Google has dubbed Coruna, was first identified in February 2025 when it appeared during a surveillance vendor's attempt to hack a phone on behalf of an unnamed government customer. Over the following months, Google tracked the same framework moving through two more campaigns: a Russian espionage group known as UNC6353 deployed it against Ukrainian iPhone users through hidden iframes embedded in compromised Ukrainian websites, and later, hundreds of Chinese-language cryptocurrency and finance scam sites used it to steal from iOS users without requiring a single click from victims.

The scale alarmed researchers. Spencer Parker, chief product officer at mobile security firm iVerify, estimated the campaign affected at least 42,000 devices, which he described as "a massive number" for iOS. iVerify has called it the "first known mass iOS attack" of its kind.

The drive-by exploitation method, in which a user's iPhone can be compromised simply by visiting a webpage, is rare enough. What is more alarming to researchers is where the toolkit likely came from. iVerify obtained a copy of Coruna from one of the infected Chinese sites and conducted its own analysis. Co-founder Rocky Cole said the evidence points squarely toward a U.S. origin.

"It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the U.S. government," Cole said. He called the components "very likely U.S. government tools" and described this as the first confirmed instance of such tools being adopted and weaponized by foreign adversaries and criminal groups.

Coruna contains five exploit chains leveraging more than 20 vulnerabilities spanning iOS 13 through iOS 17.2.1, covering devices running software released between September 2019 and December 2023. The codebase is written with extensive inline documentation in native-level English, consistent with a professionally developed intelligence platform rather than a criminal product. Cole said the toolkit appears to have been built by a single author, and that many of its components had never been publicly seen before, making it unlikely that adversaries simply stitched together previously discovered code.

The toolkit also shares multiple components with Operation Triangulation, a 2023 hacking campaign discovered targeting Russian cybersecurity firm Kaspersky. Russia's FSB blamed that operation on the U.S. government; the NSA declined to comment on that claim. Apple issued patches in response to Triangulation and worked with Google on the newest research, though Apple did not respond to a request for comment on Coruna.

Sources from an unnamed U.S. government defense contractor told reporters that some of the tools identified by Google were theirs, though that claim remains unverified and the contractor has not been publicly identified. As contextual precedent, TechCrunch reported that Peter Williams, former head of U.S. defense contractor L3Harris Trenchant, was sentenced to more than seven years in prison after pleading guilty to stealing and selling eight exploits to a broker with known ties to the Russian government.

Apple has patched the underlying vulnerabilities exploited by Coruna, and the toolkit does not function against the latest iOS versions. Security researchers are urging all iPhone users to update their devices immediately.